Critical Supply‑Chain Attacks in Daemon Tools Lite, TanStack, and Nx Console (CVE‑2026‑8398, CVE‑2026‑45321, CVE‑2026‑48027) Added to CISA KEV Catalog
What It Is — CISA has added three high‑severity supply‑chain vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The flaws affect Daemon Tools Lite installers, TanStack npm packages, and the Nx Console VS Code extension, each receiving a CVSS v4.0 score of 9.3‑9.5.
Exploitability — All three vulnerabilities have been observed in the wild: maliciously signed Daemon Tools binaries were distributed, 84 compromised TanStack npm versions were published via a hijacked GitHub Actions workflow, and a tainted Nx Console package was live on the Visual Studio Marketplace for 36 minutes before removal. Active exploitation is confirmed.
Affected Products — Daemon Tools Lite (AVB Disc Soft), TanStack JavaScript libraries (npm), Nx Console extension (Visual Studio Marketplace/OpenVSX).
TPRM Impact — These incidents highlight the systemic risk posed by third‑party software components in development pipelines, the potential for credential theft, and the downstream propagation of malware to enterprise environments that rely on trusted supply chains.
Recommended Actions —
- Enforce strict provenance checks: require reproducible builds and verify code‑signing certificates for all third‑party binaries.
- Immediately upgrade to clean releases: Daemon Tools Lite ≥ 5.2.0, Nx Console ≥ 18.100.0; remove any compromised TanStack npm packages from internal repositories.
- Harden CI/CD pipelines: restrict
pull_request_targetusage, limit OIDC token scopes, and monitor GitHub Actions for anomalous token access. - Align remediation with CISA’s June 10 2026 deadline and document compliance for audit and contractual obligations.
Source: SecurityAffairs